new-site/infra/ansible/roles/nginx/templates/pw-security.conf.j2

# {{ ansible_managed }}
# Shared security snippet - included by all server blocks

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://cdn.ywxi.net https://analytics.performancewest.net https://embed.tawk.to https://*.tawk.to; style-src 'self' 'unsafe-inline' https://*.tawk.to https://fonts.googleapis.com; img-src 'self' data: https: blob:; font-src 'self' data: https://*.tawk.to https://fonts.gstatic.com; connect-src 'self' https://api.performancewest.net https://api.dev.performancewest.net https://api.stripe.com https://analytics.performancewest.net https://*.tawk.to wss://*.tawk.to; frame-src https://js.stripe.com https://hooks.stripe.com https://cdn.ywxi.net https://*.tawk.to; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; upgrade-insecure-requests;" always;

# Block common attack paths
location ~* \.(php|asp|aspx|cgi|pl)$ {
    return 444;
}

location ~* /(wp-admin|wp-login|wp-content|wp-includes|wordpress) {
    return 444;
}

location ~ /\.git {
    return 444;
}

location ~ /\.env {
    return 444;
}

location ~ /\.ht {
    return 444;
}

location ~* /(phpmyadmin|pma|myadmin|mysql|adminer) {
    return 444;
}

location ~* /(admin|administrator|login\.action|struts) {
    return 444;
}

# Block hidden files and directories (except .well-known)
location ~ /\.(?!well-known) {
    return 444;
}

# Block backup and config files
location ~* \.(bak|config|sql|fla|ini|log|sh|inc|swp|dist|old|save)$ {
    return 444;
}